malmeloo
How to obtain .plist files
I failed in the first step and found it difficult to find the path where findmy stores the. plist file. How did you find the
Hey! Sorry for the late reply, I missed the notification somehow. The .plist files are not stored in plaintext; they must be decrypted first.
You can use this Swift program to find & decrypt your beacon files, or otherwise this one if the first script doesn't work. That should give you a .plist file which can be used by this library.
Let me know if it works!
airtag-decryptor1 is the first method,and airtag-decryptor2 is the second method. From the picture , it maybe has some problem.
The method is generated by command ‘swiftc airtag-decryptor1’ and ‘swiftc airtag-decryptor2’,if the comthod is wrong.
I just finished my vacation and my response was a bit slow. sorry
airtag-decryptor1 is the first method,and airtag-decryptor2 is the second method. From the picture , it maybe has some problem. The method is generated by command ‘swiftc airtag-decryptor1’ and ‘swiftc airtag-decryptor2’,if the comthod is wrong. I just finished my vacation and my response was a bit slow. sorry
And findmy is always opening
I'm not sure why it's giving that error... which MacOS version are you using? I should be able to run my own hackintosh soon ish, so might be able to investigate a bit then.
I use VMware to simulate apple system,and my version is 13.5.2
@haohuoq for the second method, did you change the "hexKey" from 0xKEYINHEXFORMAT to your own key? and also remember to fix "fileURL"
I get the same error (incorrect keysize) on my m1 pro max running 14.1 sonoma. I'm running the script from inside Xcode 15.01
I used https://github.com/denysvitali/searchparty-keys to decode the .plist files:
searchparty-keys decrypt ./OwnedBeacons/<ID>.record --key <KEY> > /tmp/test.plist
@haohuoq Do you have a pointer to some documentation on how to install macOS in VMWare in a way that it works with iCloud?
BTW, I can recommend these cheap tracking devices (7,95€), which are compatible with the FindMy network (but don't feature UWB):
https://www.action.com/de-de/p/3202517/fresh-n-rebel-smart-finder/
There is also a credit card sized alternative with a rechargeable battery from the same company (11,95€), but I don't own that one:
https://www.action.com/de-de/p/3206175/fresh-n-rebel-smart-finder-card/
I used https://github.com/denysvitali/searchparty-keys to decode the .plist files:
searchparty-keys decrypt ./OwnedBeacons/<ID>.record --key <KEY> > /tmp/test.plist@haohuoq Do you have a pointer to some documentation on how to install macOS in VMWare in a way that it works with iCloud?
I don't know about VMware specifically, but I can confirm that osx-kvm works if you change the OpenCore config, using some generic hackintosh instructions. Mostly forgot what to change exactly but I can look it up for you.
I don't know about VMware specifically, but I can confirm that osx-kvm works if you change the OpenCore config, using some generic hackintosh instructions. Mostly forgot what to change exactly but I can look it up for you.
I want to run the virtual machine on a Windows host. I was able to install a Virtual Box VM, but it fails to register with iCloud.
I encountered the same incorectKeySize issue as @haohuoq. To address this and improve the overall functionality, I've made the following enhancements to the original script:
- Combined both scripts 1 , 2 to process all files in one go
- Added key extraction functionality to automate the process
- Implemented comprehensive logging for better debugging and transparency
- Fixed the incorectKeySize issue
- Streamlined the workflow for easier use
You can find my full modified script here: [link to your gist]
This version has been tested on macOS Ventura. Feel free to use it and let me know if you encounter any issues or have suggestions for further improvements script
I recently upgraded to macOS 15.1.1 and it seems like I can't access the BeaconStore key anymore, neither from commandline security -v find-generic-password -l 'BeaconStore' -g nor from the keychain app.
I recently upgraded to macOS 15.1.1 and it seems like I can't access the BeaconStore key anymore, neither from commandline
security -v find-generic-password -l 'BeaconStore' -gnor from the keychain app.
I have the same problem on macOS 15. It works on macOS 14. I also tried dumping the keychain. Looking at the access controls, in 15, only searchpartyagent is allowed access, in macOS 14 there are more choices in the access control. Maybe Library/Keychains/<uuid>/keychain-2.db can be adjusted to allow other applications to access the key.
For now, I just login to iCloud on the macOS 14 box and decrypt the tag plist files.
Decoding the OwnedBeacons files with the airtag-decrypter.swift code modified by Gdocal works fine. Then I tried to find my own AirTag with the real_airtag.py example. Nothing. The FindMy app works fine.
Then I use this code to check the keys, and there is no match: analyze_plist.txt
Any idea why the keys would be wrong? Not complete or correct key calculation? BTW, checking for my own Macbook Air works fine, I get location data.
Decoding the OwnedBeacons files with the airtag-decrypter.swift code modified by Gdocal works fine. Then I tried to find my own AirTag with the real_airtag.py example. Nothing. The FindMy app works fine.
Then I use this code to check the keys, and there is no match: analyze_plist.txt
Any idea why the keys would be wrong? Not complete or correct key calculation? BTW, checking for my own Macbook Air works fine, I get location data.
Did you use iOS 18 to pair the AirTag? It might be related to #90, which I'm currently looking into. Please try the scanner example to see if it can find your tag.
Did you supply that script with a public key that your AirTag is currently broadcasting?
It was paired with an iPhone but not a very new one. It was done 2023. Check it. Maybe you can even use it to track. And no, I did not supply the current public key. Where is that option?
It was paired with an iPhone but not a very new one. It was done 2023. Check it. Maybe you can even use it to track. And no, I did not supply the current public key. Where is that option?
This is the scan result right now: SEPARATED Device - CE:26:D4:16:59:DE Public key: zibUFlne9lm5+ZrVtf5Ch5XaM4xN2c9lBj3Cjw== Lookup key: WeSTs0O39Z/NB+iaFa9+147u6Y1S3dHjOHXNsI85KlE= Status byte: 10 Hint byte: 9c Extra data: Adapter : /org/bluez/hci0 Address : CE:26:D4:16:59:DE AddressType : random Alias : CE-26-D4-16-59-DE Blocked : False Bonded : False Connected : False LegacyPairing : False ManufacturerData : {76: bytearray(b'\x12\x19\x10\xf6Y\xb9\xf9\x9a\xd5\xb5\xfeB\x87\x95\xda3\x8cM\xd9\xcfe\x06=\xc2\x8f\x03\x9c')} Paired : False RSSI : -65 ServicesResolved : False Trusted : False UUIDs : []
Hm, maybe it's something else then. Thank you for sharing more info, that definitely helps. Are you sure you're comfortable with sharing the plist publicly though? Anyone who manages to get it to work will be able to track your tag until you re-pair it.
That script you posted was an early test from back when I was still investigating how AirTags work. You're supposed to provide a public key and it will iterate over the AirTag's potential keys until it finds it, to make sure the algorithm works. It's useful for debugging, but it doesn't have a lot of practical uses 🙂
I know. I was trying that test script after the real_airtag.py script failed to produce anything. A bit of debug inside the key generation should show what's wrong. Anything I can do as well?
If you want you could debug it yourself by putting the public key from that scan into the debugging script and running it to see if it comes up with something. But I'll likely find some more time to properly look into it this week, and the data you posted should allow me to reproduce the issue.
Here is a thought: since it has been so long after registering, and the battery was out for a long time, the key generation of your script would need to use the secondary secret, right? I didn't check the key tester file, but does it do that?
It should do that, unless the logic is broken somehow. Has your tag connected to one of your devices since putting the battery back in, though? If the time kept by the accessory is not synchronised it may be broadcasting keys from the past.
Probably true, it is not connected since I don't have an iPhone ;-) just a Macbook. And I can track it with the FindMy app on an older Mac Mini and the M1 air. So, my thoughts were to use the analyze_plist,py code to see if I can recreate all possible keys. What I conclude from that is that we can't generate the keys used or we don't generate all of them, or the real_airtag.py somehow is out of sync with the key used. Tell me, how many keys are there? I thought, the Airtag only uses a few keys, not hundreds.
Oh no, it has many keys. It uses 3 distinct "seed" values, but the current, broadcasted key is determined by an internal state machine and a key rollover algorithm. In the "worst case" scenario, the broadcasted key changes every 15 minutes, but since it also depends on the current state of the tag, there are several "potential" keys at any given point in time.
I thought macbooks also connected to AirTags, but I'm not sure. Maybe the internal clock has shifted too much, but the script should still find the keys in that case.
I am on MacOS 15 I can see that the script fails for me as well, looking into the script its due to:
$ security find-generic-password -l 'BeaconStore' -g ~/Library/Keychains/login.keychain-db
security: SecKeychainSearchCopyNext: The specified item could not be found in the keychain.
Did some more research, it appears that 'BeaconStore' key shows up in the Keychain Access tool, looking further the Keychain is set to iCloud I believe the issue occurs because macOS has moved BeaconStore into iCloud-stored keychain.
The Keychain Access > 'BeaconStore' > File > Export option is grayed out
I was able to decrypt that BeaconStore password on my M1. Feel free to use that password to find my Airtag. It's just a tester. All details about that particular Airtag is in this thread.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>$archiver</key>
<string>NSKeyedArchiver</string>
<key>$objects</key>
<array>
<string>$null</string>
<dict>
<key>$class</key>
<dict>
<key>CF$UID</key>
<integer>3</integer>
</dict>
<key>ChangeTokenData</key>
<dict>
<key>CF$UID</key>
<integer>2</integer>
</dict>
</dict>
<data>
AQAAAAAAAAQNf/////////+eZ7d+wZNJJIjGdSsi/0+K
</data>
<dict>
<key>$classes</key>
<array>
<string>CKServerChangeToken</string>
<string>NSObject</string>
</array>
<key>$classname</key>
<string>CKServerChangeToken</string>
</dict>
</array>
<key>$top</key>
<dict>
<key>root</key>
<dict>
<key>CF$UID</key>
<integer>1</integer>
</dict>
</dict>
<key>$version</key>
<integer>100000</integer>
</dict>
</plist>
The script I use is attached here. It works on newer OSX, not on my old MacMini.
Hi I just wanted to share a python solution for obtaining the .plist files that might be more accessible/extensible for everybody here intending to use the FindMy.py library:
I use this script on my MacOS .plist export wizard GUI for my Android project. More info here
I successfully obtained the key for decrypting the plist-files by disabling the macOS security features that prevent access temporarily, as described in (https://github.com/seemoo-lab/airdrop-keychain-extractor).
Full description and the needed code is here: https://github.com/pajowu/beaconstorekey-extractor
